Penetration Testing Services

Penetration testing is a critical component of your information security program. Whether you are conducting internal or external penetration testing, identifying critical exploits and remediating them in a timely fashion could mean the difference between becoming a victim of a data breach or fending off an attack.

Penetration Testing
Trusted by 1,000+ customers nationwide

Types of Penetration Testing We Offer

Several examples of the types of penetration testing we offer at Compass IT Compliance are:

Organizations rely on their networks to communicate and share confidential information and resources. Malicious actors are constantly at work to infiltrate these networks for personal and financial gain. Regular network penetration testing is critical to identify any vulnerabilities that could be exploited by hackers, such as weaknesses in security controls, lack of segmentation, unpatched software, and insecure configurations.

Internal vs. External Network Penetration Testing

Internal Penetration Tests - help gauge what a potential attacker can achieve during their initial access to a network. These tests monitor internal network threats and mirror insider threats, like employees intentionally or unintentionally conducting malicious actions.

External Penetration Tests - ideal for determining the effectiveness of perimeter security controls that prevent and detect attacks. These tests can also identify weaknesses in internet-facing assets such as web, mail and file transfer protocol (FTP) servers.

Web applications are one of the most significant points of vulnerability in organizations today. Web application holes have resulted in the theft of millions of credit cards, major financial loss, and damaged reputations for hundreds of enterprises. The number of computers compromised by visiting websites altered by attackers is too high to count. To combat this rising risk, Compass IT Compliance offers web application penetration testing to assist organizations with understanding their vulnerabilities and providing them with a remediation plan to mitigate their risk. Our web application penetration testing services can include any of the following based on your specific needs and requirements:

  • Application Vulnerability Assessment
  • Application Penetration Testing
  • Secure System Development Lifecycle Assessment
  • Static Code Review
  • Dynamic Code Review

Wireless network penetration testing involves evaluating the connections between all devices connected to an organization's wireless local area network (WLAN) or Wi-Fi. These devices include smartphones, tablets, laptops and other internet-enabled mobile devices. Putting the security of your wireless network to the test allows penetration testers to determine your security levels and offer solutions on how to strengthen them. Our wireless network penetration testing will:

  • Determine if a wireless network is vulnerable to attack
  • Determine how far a wireless network extends outside the physical boundaries of a facility
  • Test the authorization and authentication system
  • Determine how well wireless IDS / IDP is working
  • Determine if the wireless deployment meets compliance / best practices requirements (FFIEC and NIST)
  • Provide detailed recommendations for strengthened security configurations and remediation prioritized by urgency

Many organizations today utilize mobile applications to communicate with and provide services to their customers. The large amounts of data being processed by these apps is often sensitive and confidential, making them a perfect target for malicious actors. Rapid development of mobile apps also furthers the risk of critical vulnerabilities being overlooked. Mobile application penetration testing is critical to secure these applications before security vulnerabilities can be exploited by malicious actors. Compass IT Compliance utilizes industry best practices and methodologies for mobile application penetration testing, such as the Open Web Application Security Project (OWASP) Mobile Application Security Verification Standard (MASVS) and Mobile Application Security Testing Guide (MASTG). These methodologies ensure a complete and consistent approach to the assessment. Testing may be conducted using various methods including:

  • Sniffing of Traffic
  • Code Review
  • Testing of APIs

In today’s world, with rising infrastructure costs and ever escalating security threats, many organizations have decided to host some or all of their environment and data in the cloud instead of locally on premise. Well known cloud services, such as Amazon Web Services, Microsoft Azure, and Google all offer robust environments that allow users to leverage a modern well-secured hardware environment. Just because the physical environment is certified secured does not mean that your environment is secure or compliant. Securing what is in the cloud is just as important as making sure the cloud itself is secure. Our cloud penetration test will identify weaknesses within the configuration, policies, and access controls of a cloud environment. Our assessment includes reviews of both the data and the applications in the cloud to determine common weaknesses in:

  • Installation
  • Configuration
  • Policies
  • Object Access Control

Social engineering is the psychological manipulation of people into performing actions or divulging confidential information. Countless employees have fallen victim to these convincing schemes, often accompanied by a significant loss of money or data. Social engineering is among the most popular attack vectors for malicious actors as it relies on human error rather than solely exploiting technical vulnerabilities, which is often far more difficult.

The key to addressing these human vulnerabilities is a robust social engineering penetration testing program including simulated attacks to gauge employee awareness and recognition of the latest threats. Our testing simulations include:

For organizations looking for a defense in depth approach, Compass IT Compliance offers red team penetration testing. This service consists of an adversary attack simulation across all assets of your organization. Your people, processes, technology, and facilities will all be in scope and will be tested simultaneously. The methodologies utilized will most closely resemble a real world attack, combining various physical and cyber exploits to uncover vulnerabilities.

The assessment rules of engagement and core organizational information are entirely customizable to fit your unique needs. Our team of ethical hackers will use all applicable techniques available to achieve your desired objectives. This may include:

  • Utilizing previously exposed data on the dark web
  • Phishing and vishing to gather information from employees
  • Physical site visits to exploit vulnerabilities in security controls and human trust
  • A blend of network, web application, wireless network, mobile application, and cloud penetration testing

White label penetration testing services allow your company to leverage Compass IT Compliance’s highly skilled and certified team to offer quality penetration testing services to your clients under the umbrella of your established and reputable brand. Our cybersecurity professionals can work seamlessly within your project management environment, displaying a unified front in delivering quality and timely deliverables with industry-leading insights into vulnerabilities present and the steps necessary to remediate risks.

Professional service organizations and IT managed service providers (MSPs) have sought a partnership with our team for the following reasons:

  • The opportunity to gain competitive advantage and expand service offerings to reach new customers who are looking for an all-in-one solution
  • To fulfill a gap in talent within your existing team, either in the interim or long-term
  • The ability to offer a wider array of service capabilities to existing clients without the need to send them to other vendors
  • To satisfy conflict of interest concerns and utilize an independent set of eyes to verify IT security and compliance

Black Box, Gray Box and White Box Penetration Testing

Penetration testing (or pen testing) engagements are classified based on the level of system knowledge and access granted to the tester at the start of the engagement. The classification of these tests includes black box, gray box, and white box testing. Each category, or "box" brings with it different testing methodologies ideal for different situations.

Black Box

Starts with zero access and no prior knowledge of the attack target.

Gray Box

Involves limited access and some knowledge of the target.

White Box

Starts with administrator access and knowledge of the target.

Industries We Serve

Compass IT Compliance offers penetration testing to a comprehensive industry range. We can assist you in various areas, whether you own a restaurant, hotel, tourism, or entertainment business in the hospitality industry to specializing in gambling industry areas like sports betting, casinos, and lotteries. Our team services utilities, along with companies in the technology and manufacturing industries. Other industries we can assist include:

Industry Best Practices

Our penetration testing services — whether a black, gray, or white box test — follow industry best practices and methodologies, such as the Open Source Security Testing Methodology Manual (OSSTMM) and the National Institutes for Standards and Technology (NIST). These methodologies ensure a complete and consistent approach to testing while identifying potential threats, pinpointing the devices that could be compromised, and providing you with a detailed, prioritized remediation plan so you can bolster your defenses before an attack comes your way!

Why Choose Compass?

Organizations of all sizes choose Compass IT Compliance to assist with their penetration testing needs. The reasons why are simple:

Our team: Our highly trained and extensively certified security professionals make us the best penetration testing company in the business. We work with you and your team to provide detailed, actionable results that you can use to mitigate your risk.

Our process: We start each engagement by outlining the expectations of all team members, what the testing will include, and the testing hours based on your unique business needs. We work to conduct our testing and provide our detailed reporting in a timely fashion so you can remediate any vulnerabilities. If we find high-risk vulnerabilities during our testing, we will immediately notify you to determine the best course of action to mitigate your risk.

Our Penetration Testing Methodology

Our penetration testing methodology consists of the following steps:

Analysis

Analyze the system(s) in scope for testing and obtain as much information as possible before conducting the test.

Analysis
Analysis
Scanning

Conduct vulnerability scanning to identify any potential vulnerabilities and/or exploits present on the target(s). The vulnerabilities identified in the vulnerability scan will be further researched to determine whether the exploit code exists. If exploit code is available, the code will be used to exploit the vulnerability and penetrate the host in the next step.

Scanning
Scanning
Testing

Conduct penetration testing, using various methodologies, to determine the exploitability of the target(s). All testing will abide by the Rules of Engagement document that is created by our team in collaboration with your organization and will outline testing expectations, procedures, and methodologies that will be used to perform the penetration test.

Testing
Testing
Reporting

Provide you with multi-level reporting to satisfy all of the key stakeholders in your organization. For your technical team, we will provide a detailed technical report outlining the methodology used, the vulnerabilities identified, if penetration was successful, and specific remediation strategies to mitigate your risk and patch the vulnerability. For your executive team, we will provide a high-level overview of the overall process that was used, any significant risks that were uncovered and the overall risk level of the organization.

Reporting
Reporting

Related Resources

Educational content and resources related to our Penetration Testing service:

Ready to Get Started?

Connect With Compass IT Compliance Today

Let Compass IT Compliance assist your organization in assessing any risks present through our penetration testing services. We will enable you to secure your systems, comply with regulatory compliance requirements, and save time, money and resources in the process. Fill out the form below today to discuss your unique situation with a knowledgeable team member.